Getty Images

Data Security Considerations in Healthcare Interoperability

The national push for healthcare interoperability continues to gain strength, but there are key data security areas that covered entities must consider as they implement new technologies.

While more healthcare organizations are utilizing electronic health records (EHRs) and adding to the increase in healthcare interoperability finding a health IT option that provides better patient care and keeps PHI secure is not always easy.

Data security concerns can make both covered entities and patients hesitant to jump on board with the interoperability push.

Interoperability allows organizations to send data across health IT systems and receive it in a readable, usable manner.

The Healthcare Information and Management Systems Society (HIMSS) describes the foundational level of interoperability as “data exchange from one information technology system to be received by another and does not require the ability for the receiving information technology system to interpret the data.”

There is also a structural level that “defines the structure or format of data exchange (i.e., the message format standards) where there is uniform movement of healthcare data from one system to another such that the clinical or operational purpose and meaning of the data is preserved and unaltered.”

Regardless of the interoperability definition though, the data being transferred must remain secure.

It is important to advance healthcare for both exchange and interoperability. Organizations need to understand the health data exchange challenges and find applicable solutions.

Potential data security risk areas with interoperability

Privacy concerns often arise with interoperability as health data sharing is one of its key aspects. More providers can have access to information, which could help improve patient care, but it also opens up more potential opportunities for the data to become compromised.

Provider decision making could improve, and there could be more accurate treatment decision making. There is definitely tension between health data availability and the appropriate data protection and use.

“It is always the case that when one is the steward, when a company is the steward of sensitive data, it is responsible for ensuring that the data is only used, or disclosed, as is appropriate and allowed by governing law,” Indiana Health Information Exchange (IHIE) Vice President, General Counsel, Privacy Officer Valita Fredland told HealthITSecurity.com in a 2016 interview. “There are also the expectations of the individuals whose information it is.”

The population health and accountable care initiatives will also benefit from improved interoperability, and having health data be more readily available. Fredland explained that for the information to be made available, it will be exchanged across a legal landscape that has varying degrees and various levels of privacy and security rules and regulations.   

“It's fair to say that for a privacy professional in this day and age, he or she needs to be familiar with not only the state expectations and regulations on sensitive data, but national and international, because data can travel,” Fredland said.

...Organizations responsible for compliance with HIPAA and HITECH need to ensure the same privacy and security compliance with interoperability exchanged data, as with their other sensitive data.

The legal landscape is very complex in regard to privacy and security regulations, which creates a great challenge for any privacy professional thinking about interoperability and serving a client.

Healthcare organizations should also consider their HIPAA audit preparation in relation to interoperability, Fredland maintained.

A covered entity must know where PHI is stored and to where it may be transferred. The aspect of transferring data fits perfectly with interoperability, she said.

“Interoperability just raises additional questions about mapping data so that organizations responsible for compliance with HIPAA and HITECH need to ensure the same privacy and security compliance with interoperability exchanged data, as with their other sensitive data.”

Covered entities and business associates will need to ensure that they regularly update all data security measures, conduct appropriate employee training, and work to keep all connected devices secure.

Failing to account for any of these aspects could lead to a data breach. That was part of the concern raised in 2015 by St. Paul, Minnesota – based clinical psychologist Peter Zelles.

Minnesota’s EHR interoperability law requires providers to use EHRs and also connect to a state-certified health information organization. 

“The Minnesota e-Health Advisory Committee and [Minnesota Department of Health] recommend that all providers demonstrate progress toward achieving the EHR and interoperability requirements,” the MDH website states. “As health care providers make progress toward the safe, secure and interoperable exchange of health data, our Minnesota health care system will be better positioned to achieve the greater vision of health care reform.”

Zelles explained in an opinion piece that having psychological records included in the law was concerning. The mandate could even mean “the end of psychotherapy as a useful treatment.”

Similarly, the Citizens’ Council for Health Freedom claimed in 2015 that new EHR interoperability requirements would potentially make it easier for inappropriate PHI access.

“EHRs are not only dangerous for patients and impose costly and time-consuming requirements on doctors, now the EHR is turning into a national security nightmare,” CCHF President and Co-founder Twila Brase wrote in an opinion piece at the time. “If background checks and security clearances can be hacked, so can sensitive and private medical records.” 

State Data Breach Notification Laws Critical to Healthcare Orgs

HIPAA Data Breaches: What Covered Entities Must Know

How federal agencies are approaching healthcare interoperability

Data security is also a top interoperability priority for several federal agencies.

The Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC) released the final version of its interoperability roadmap toward the end of 2015.

Connecting Health and Care for the Nation discussed how nationwide interoperability could be achieved over the next decade, saying that the goal of a learning health system that centers around patients is possible.

“If we steadily and aggressively advance our progress we can make it a reality,” the executive summary read. “We must focus our collective efforts around making standardized, electronic health information securely available to those who need it and in ways that maximize the ease with which it can be useful and used.”

The roadmap maintained that strong and effective data security safeguards are essential in the interoperability push. There must be greater transparency in how patient data is used, and it will be necessary to consider patient preferences in how their data is handled.

There must be “a stable, trusted, secure, widely available network capability that supports technology developer-neutral protocols and a wide variety of core services” for an interoperable and learning health system.

ONC added that between 2015 and 2017 “OCR will consider where additional guidance may be needed to help stakeholders understand how HIPAA Privacy and Security Rules apply in an environment where ACOs and other multi-stakeholder entities permeate the landscape in support of value-based purchasing.”

Some providers are not sharing PHI due to their healthcare organization’s policies, procedures, or protocols, even if the sharing is permitted under HIPAA, or because laws in the provider’s state apply in addition to HIPAA.

In a series of blog posts in 2016, ONC Chief Privacy Officer Lucia Savage, J.D. and ONC Privacy Analyst Aja Brooks, J.D. explained how HIPAA regulations are not actually a hindrance to interoperability and health data sharing.

HIPAA protects PHI and allows data to be accessed, used, or disclosed interoperably, the two wrote.

“Some providers are not sharing PHI due to their healthcare organization’s policies, procedures, or protocols, even if the sharing is permitted under HIPAA, or because laws in the provider’s state apply in addition to HIPAA,” wrote Savage and Brooks. “Interestingly, this lack of exchange of PHI runs contrary to consumer perception, with research demonstrating that patients assume their PHI is automatically shared between their treating physicians.”

For example, HIPAA permits certain uses and disclosures of information for patient treatment and healthcare operations. Specifically, covered entities can disclose PHI to other covered entities or business associates without patient consent in certain conditions.

These include, but are not limited to the following:

  • Conducting quality assessment and improvement activities
  • Developing clinical guidelines
  • Conducting patient safety activities as defined in applicable regulations

However, it is important to note that both covered entities must have a relationship with the patient and the PHI must pertain to that relationship. Only the minimum information necessary can also be disclosed in those situations.

The Food and Drug Administration (FDA) has also underlined the importance of healthcare data security, patient safety, and risk management for IT developers and users.

The FDA published its Design Considerations and Pre-market Submission Recommendations for Interoperable Devices draft guidance in 2016, underlining necessary safety precautions for IT developers as they create interoperable health devices.

“Including an electronic data interface on a medical device may have an impact on the security and other risk management considerations for the medical device, the network, and other interfaced devices,” the FDA wrote. “Analysis of risks due to both the intended and unintended access of the medical device through the interface should be considered.”

Interoperable devices can improve care coordination and patient data access, but it may also create an increase in healthcare data breach risk, according to the FDA.

Therefore, health IT manufacturers should consider the following:

  • Whether implementation and use of the interface degrades the basic safety or risk controls of the device;
  • Whether implementation and use of the interface/interfaces degrades the essential performance of the device;
  • Whether the appropriate security features are included in the design;
  • Whether the device has the ability to handle data that is corrupted or outside the appropriate parameters.

“FDA recommends that manufacturers include in their risk management approach a particular focus on the potential hazards, safety concerns, and security issues introduced when including an electronic data interface,” the draft guidance stated.

Breaking Down HIPAA Rules: HIE Security

ONC, OCR Fact Sheet Discusses HIPAA Health Data Exchange

Other considerations for healthcare interoperability, HIE use

Utilizing multi-factor authentication, data encryption methods, and proper employee training are all necessary tools for improving health data privacy and security through HIE use. As healthcare organizations work toward nationwide interoperability, these and other security methods are just as essential.

In similar regard, Direct messaging has become a more popular communication method.

DirectTrust President and CEO David. C. Kibbe, MD MBA explained in January 2017 that this shows the continued growth of Direct as a “national platform for interoperability among users of hundreds of different vendors' EHR, PHR and other IT products.”

"As EHRs become virtually ubiquitous in hospitals and medical practices, Direct messaging adds value by virtue of being 'plugged in' and able to replace fax and mail for all sorts of transactions, without the end user having to leave his or her EHR system,” Kibbe said in a statement. “It's important that Direct be convenient and work flow friendly.”

Care coordination and clinical messaging for referrals and alerts are often the top Direct uses. However, Kibbe added that Direct messaging is increasingly being used for administrative and research data communications.

“As demand for Direct grows, vendors are increasingly improving their usability for Direct, and adding file formats that can be shared as attachments,” he explained. “I am really encouraged to see those 'last mile' types of problems being addressed across the entire industry."

DirectTrust was also part of a Governmental Trust Anchor Bundle, released in conjunction with the Federal Health Architecture (FHA) in 2016.

The Bundle was designed to help as many as 23 federal agencies to start using Direct Messaging for the secure healthcare information exchange in the private sector. 

At the time, Kibbe said in a statement that the move was an important step for advancing secure health data exchange.

“We look forward to secure electronic Direct messaging with attachments replacing fax and mail for care coordination among clinicians in government health facilities and their counterparts in the private sector,” he stated. “Considerable and significant benefits can be expected for the care of millions of Americans including, veterans and active duty military personnel, and their families."

The agreement will also allow DirectTrust federal partners to “operate their Direct implementations within the Security and Trust Framework of DirectTrust.” Furthermore, Medicaid, HIE programs, and state health and public health departments were expected to benefit from the move. More strict security controls are required in those instances, which are required in the agreement itself.

Overall, interoperability can be a critical tool for healthcare. However, covered entities, business associates, and even health IT device manufacturers cannot afford to overlook data security measures.

Any connected devices being used must have built-in security measures, and undergo regular updates. HIPAA regulations (i.e. technical safeguards, physical safeguards, administrative safeguards) should also be updated on a regularly basis, and employees at all levels need security training.

The interoperability push is unlikely to slow down anytime soon, and healthcare needs to prepare itself to avoid any data security or privacy breaches.

One potential way that healthcare interoperability could improve is through the use of blockchain technology, which organizes data so transactions can be verified and recorded through the consensus of all parties involved.

Any data entered into a computer system or EHR/EMR can have each transaction or entry validated. This could include anything from a financial transfer to an update to an individual’s personal health record. Each new action is verified against an authoritative ledger of previous events. 

Providers can add a new record associated with a particular patient, and patients can authorize sharing of records between providers.

Furthermore, members can enter information to their own ledger copy, rather than the data being held in one location. No new transactions can be approved unless a majority agrees that the requested action is accurate.

For data security, a patient’s differing interactions in the healthcare system can be repaired and there could be multiple checkpoints instead of one single gateway for sensitive data.

The validation aspect is what will set blockchain technology apart from regular HIE. Patients and providers will need to trust that the HIE is accurate about the records moving between hospitals and other organizations. 

“Providers can add a new record associated with a particular patient, and patients can authorize sharing of records between providers,” Beth Israel Deaconess CIO Dr. John Halamka and colleagues from the MIT Media Lab explained in a paper. “In both cases, the party receiving new information receives an automated notification and can verify the proposed record before accepting or rejecting the data. This keeps participants informed and engaged in the evolution of their records.”

How Location-Based IT Could Re-Invent Healthcare Security

How to Improve Health Data Privacy, Security in HIE

Dig Deeper on Health data access & privacy